Permissions¶
This page describes the permission model used by OneClickExt to control which users may launch which scripts. Permissions apply to scripts invoked from the web interface (Script Server) and are evaluated server-side before execution. Scripts launched directly from the Spectrum console are not subject to this check.
How permissions work¶
Permissions are evaluated in two passes:
- Direct script permission — the user is explicitly listed as allowed to run the script.
- Group permission — the user belongs to a group, and the script is assigned to that group.
If either check passes, the script is permitted.
Defining groups¶
A group is a named collection of scripts:
oneclickext.scripts.groups.<groupname>: <script1> <script2> ...
Example:
oneclickext.scripts.groups.Reboot: RebootDevice RebootDevice2
Assigning permissions to users¶
Via group membership¶
oneclickext.scripts.users.<username>.groups: <group1> <group2> ...
Example:
oneclickext.scripts.users.tomcat.groups: Reboot
oneclickext.scripts.users.spectrum.groups: Reboot
Via direct script assignment¶
oneclickext.scripts.users.<username>.scripts: <script1> <script2> ...
Use the special value all to grant access to every script:
oneclickext.scripts.users.sladmin.scripts: all
Both types can be combined for the same user:
oneclickext.scripts.users.spectrum.groups: Reboot
oneclickext.scripts.users.spectrum.scripts: SetModelName testscript
Complete example¶
# Groups
oneclickext.scripts.groups.Reboot: RebootDevice RebootDevice2
# Users via group
oneclickext.scripts.users.tomcat.groups: Reboot
oneclickext.scripts.users.sladmin.groups: Reboot
oneclickext.scripts.users.spectrum.groups: Reboot
# Users via direct script assignment
oneclickext.scripts.users.sladmin.scripts: SetModelName testscript
oneclickext.scripts.users.spectrum.scripts: SetModelName testscript
In this example:
- tomcat, sladmin, and spectrum may all run RebootDevice and RebootDevice2 (via the Reboot group).
- sladmin and spectrum may additionally run SetModelName and testscript directly.